OTTAWA — As we depend more on electronic devices for everything, the cases of counterfeit parts have piled up, even in military planes and helicopters. Each faked component—whether from a supplier cutting corners or an enemy hacking a critical supply chain—puts performance and security at risk.

In search of a solution, some of the biggest defence contractors in the U.S. have turned to a startup spun out of the University of Waterloo.

“Our supply chains for systems that we depend on get deeper and deeper and longer and longer. Because of that, the threat is that an actor anywhere in that chain modifies something maliciously—or is just trying to cut a corner financially,” said Sebastian Fischmeister, a professor of engineering and computer science at the Ontario university and CEO of Palitronica, the company with the huge new partners.

Recycled components are one thing, but parts that are scavenged, relabeled and passed off as something else can be security risks or endanger critical systems if they aren’t up to scratch. Pandemic-disrupted supply chains led some suppliers to sell iffy components to manufacturers desperate to keep their assembly lines moving. 

“The vast majority of companies are using a trust-based approach,” Fischmeister said. “They send you a questionnaire and they ask you, ‘How cyber-secure are you?’”

That’s not enough in 2023, he argued, but verifying that an electronic device is what it’s supposed to be often means taking it apart, which is time-consuming and—problematically—often irreversible.

Even the U.S. Defense Advanced Research Projects Agency has taken up the cause, trying to devise technologies to track chips throughout their life cycles.

At its core, Palitronica’s idea is simple: Take an electronic device or a part like a circuit board or microchip, send a zaplet of electricity through it, and carefully measure the electrical signature that comes out the other side. 

“Imagine being a submarine in a network of caves, and you send out a sonar ping and then you see what comes back. You use this to reconstruct something about the cave and understand the cave. What we do is something similar to that, with a high-frequency, low-power ping,” said Fischmeister.

If you’re certain the first one is genuine, and all the subsequent doodads you test respond to the electrical pulse in precisely the same way, then you can be confident all the doodads are good.  If the signatures are the same, the innards are the same; if one or more has a different signature, there’s something you need to investigate.

“Even if the counterfeiter tries to mimic the external functionality of the electronics, the internals are different,” Fischmeister said.

Canada has pledged to ban Huawei and ZTE gear from telecom networks, for fear that China’s security forces could use it to spy on Canadian internet traffic. But components in almost anything can pass through so many hands before a final product is delivered that figuring out what’s in that product can be hard even for experts. There’s a scandalous history of faked electronics, especially in parts for U.S. military machines.

In the late 2000s, counterfeit chips were found in U.S. and Canadian military planes, including Canada’s C-130J Hercules transporters. A vice-president of the company that made displays for those planes, L-3, testified to a U.S. Senate committee in 2011 that electronics go obsolete quickly but military equipment can stay in service for 25 to 40 years. When systems need upgrades or repairs, sometimes makers use what they can find.

That committee found suspected cases of counterfeit parts for four different models of U.S. military aircraft. Often, the parts were industrial-grade rather than the more rugged and expensive military versions. 

In 2015, the CEO of electronics distributor Harry Krantz pleaded guilty to selling faked chips into the supply chain for helicopters, including for the U.S. military.

Four years later, a California electronics reseller pleaded guilty to passing off old, used and discarded chips as new ones for years, some of which ended up in a classified U.S. Air Force weapon system. (He admitted to getting a Chinese testing lab to supply him with sanitized reports that left out the evidence of the fakery.) In June, yet another man pleaded guilty to selling counterfeit Cisco networking gear, complete with fake boxes and labels.

Palitronica began with a 2013 paper Fischmeister co-wrote with Waterloo colleagues Carlos Moreno and Anwar Hasan (Moreno would become a Palitronica co-founder). It was about measuring power consumption in embedded systems that weren’t working right, in situations where ordinary debugging wouldn’t work; the idea was to pinpoint the code the systems were executing when they failed.

“When you have an aircraft and you want to figure out what the aircraft does, you cannot stop the code because it will just come falling out of the sky,” Fischmeister said.

If you can follow the progress of a flawed program while it’s working, you at least know where to look for problems when it’s safe to do so. Essentially the same technique, figuring out what’s going on inside a system based on indirect evidence like its power use or the sounds it makes, is called a “side-channel attack” when wrongdoers use it to eavesdrop or hack.

Next they applied the idea to car security, devising a demonstration system that could check whether a signal to unlock a door came from a genuine key or a counterfeit.

“Everybody’s using network messages, log entries and all of these things, but we use physics parameters and properties to assist integrity,” Fischmeister said.

Since they founded Palitronica in 2019, it’s landed a contract with the Department of National Defence; spots in the University of Waterloo’s Velocity incubator and the blue-chip accelerator Y Combinator; and a deal to test its technology with Bruce Power, which runs a major nuclear generating station in Ontario.

“Our work with Palitronica has gone well, and there have been learnings and interest from both sides,” Bruce Power spokesperson John Peevers told The Logic by email. The power company lent electronics for testing and its staff experts advised Palitronica on the demands of an industrial setting. They remain in contact, Peever wrote.

Palitronica’s dream is to be able to test a fighter jet, Fischmeister said. For now, one module on such a jet is as big a subject as its technology can handle.

The company is profitable and still growing, Fischmeister said, with 11 full-time and four part-time employees. It’s looking to zero in its product-market fit before a Series A capital raise in 2024 to fund expansion.

And it just won a $1-million grant from the National Cybersecurity Consortium, a federally backed organization that nurtures cybersecurity innovations. In the group’s first batch of grants, Palitronica scored the only one for commercialization.

Palitronica is part of a group seeking the contract to maintain the electronics on Canada’s CF-18 fighters through to their expected retirement in 2032—that will be 50 years after the first ones arrived. The other members include Raytheon, one of the biggest defence contractors in the world, and Arcfield, which already has the maintenance contract until March 2024.

And one more: L3Harris, a corporate descendant of L-3, which included those fake memory chips in components for the Hercules transporters years ago.